WireCAP: a Novel Packet Capture Engine for Commodity NICs in High-speed Networks


This is the official web site of WireCAP, a Novel Packet Capture Engine for Commodity NICs in High-speed Networks.

In this page, you’ll find the latest version of WireCAP, a complete documentation, and other related information.

What is WireCAP?

WireCAP is a novel packet capture engine for commodity network interface cards (NICs) in high-speed networks. WireCAP is designed to support the packet capturing and processing model shown in Figure 1.

In this model, a multi-queue NIC is logically partitioned into multiple receive queues, with each queue tied to a distinct core of a multicore system. Packets are distributed across the queues using a hardware-based traffic-steering mechanism, such as receive-side scaling (RSS). A thread (or process) of a packet-processing application runs on each core that has a tied queue. Each thread captures packets via a packet capture engine and handles a portion of the overall traffic. On a multicore system, there are several programming models (e.g., the run-to-completion model and the pipeline model) for a packet-processing application. Here, the application may be of any type. This new paradigm essentially exploits the computing parallelism of multicore systems and the inherent data parallelism of network traffic to accelerate packet capturing and processing.

Figure 1. Packet capturing and processing on Multicore systems


WireCAP features

  • WireCAP provides lossless zero-copy packet capture and delivery services by exploiting multiqueue NICs and multicore architectures. WireCAP introduces two new mechanisms—the ring-buffer-pool mechanism and the buddy-group-based offloading mechanism — to address the packet drop problem of packet capture in high-speed network.
  • WireCAP is efficient.  WireCAP employs several optimization techniques—including pre-allocated large packet buffers, packet-level batching processing, and zero-copy—to reduce the packet capture and delivery costs.
  • With WireCAP, the design of a packet-processing application can be simplified.
  • With WireCAP, the performance of a packet processing application can be improved. WireCAP provides large ring buffer pools in the kernel to accommodate captured packets and supports zero-copy packet capture and delivery. Therefore, an application need not copy captured packets from low-level ring buffer pools and store them into its own set of buffers in user space. Instead, the application can use ring buffer pools as its own data buffers, and process the captured packets directly from there. This strategy helps to improve application performance.
  • WireCAP implements a packet transmit function that allows captured packets to be forwarded, potentially after being analyzed in flight. Thus, WireCAP can be used to support middlebox-type applications.

Related Publications & Talks

Latest Releases

Version: 2.0

Release Date: June 16, 2016

The current release consists of a kernel-mode driver and a user-mode library

  • The kernel-mode driver manages commodity NICs and provides WireCAP's low-level packet catpure and transmit services
  • The user-mode library provides a standard interface for low-level network access

OSes Supported

  • Linux operating systems
  • We are working towards to support other OSes

Commodity NICs supported

  • Intel 82599-based 10GigE NICs
  • Intel XL710-based 40GigE NICs

Download links

  • Wirecap-2.0.tar.gz


Contact Fermilab’s Office of Partnerships and Technology Transfer (OPTT) at optt@fnal.gov to obtain a copy of WireCAP.


WireCAP is designed, developed, and maintained by Fermilab Computing Sector.

If you want to report bugs, ask questions, suggest improvements, or request features, please send emails to Wenji Wu, Phil DeMar, and Liang Zhang.

Software development contributors:

  • Qiming Lu
  • Christopher H Green
  • Marc F Paterno
  • Ronald D Rechenmacher